Botmetric Brings Unique Click to Fix for AWS Security Group Audit

In today’s day and age, deploying solutions and products on the cloud has become the new norm. However, managing your cloud infrastructure, implementing critical cloud security controls, and preventing vulnerabilities can become quite challenging.

Security & Compliance

Botmetric’s Security & Compliance simplifies the process of discovering and rectifying the threats as well as shortcomings in your AWS infrastructure by providing a comprehensive set of audits and recommendations, which saves a lot of time and makes eliminating unused Security Groups easy.

Botmetric’s Security & Compliance imbibes culture of continuous security and DevSecOps by automating industry best practices for cloud compliance and security. For an AWS user this simplifies the process of discovering and rectifying the threats.

Remediation of Security Threats with Botmetric

At Botmetric, we believe in simplifying cloud management for our customers. To amplify this, we provide the ‘click to fix’ feature for many of our Security & Compliance audits. This feature enables users to implement the best practices recommended by Botmetric simply with the click of a button. While saving a lot of time and effort, it also eliminates the possibility of human error. Moreover, rather than manually fixing each and every resource, Botmetric allows you to select multiple resources and fix them all at once.  

Click to Fix Security Group Audit

In an effort to allow our users to easily secure their cloud, we have recently added ‘click to fix’ feature for all Botmetric security group audits.

Why Botmetric Built Click to Fix for AWS Security Group Audits?

Security groups in AWS provide an efficient way to assign access to resources on your network. The rules that you define in security groups should be scrutinized. For a simple reason that you could end up giving a wide open access resulting in an increased risk of security breaches. The security group audits provided by Botmetric discover issues, such as as security groups having rules with TCP/UDP ports open to public, servers open to public, port ranges open to public,  so on and so forth. These are serious security loopholes that could leave your cloud open to malicious attacks.

Botmetric’s ‘click to fix’ feature for AWS security group audits deletes the vulnerable security group rule, thereby securing access to your cloud resources and protecting your cloud infrastructure.

Botmetric- Click to Fix

List of AWS Security Group Audits provided by Botmetric

  • Database Ports

Protecting database ports is crucial as you wouldn’t want access leaks or open ports to your Database ports. Botmetric scans your database ports open to public, IP and private subnet. Securing these would ensure your database ports safety in a security group.

  • Server Ports

Very essential as a lot of security issues and vulnerabilities have been caused due to server ports. Botmetric secures ports open to public, IP and private subnet.

  • TCP UDP  and ICMP Ports

Relies everything we do on the internet, here Botmetric secures open ports to both public and IP.

There are few more controls for Security Group such as All Traffic and Port Range also secured by the audits.

How to Enable Click to Fix for AWS Security Group Audits?

To use the click to fix for security group audits, please ensure that you have added “ec2:RevokeSecurityGroupIngress” permission to the policy of the role whose ARN is configured for Security and Compliance.

The Bottom line:

At Botmetric, we will continue to add more AWS cloud security and compliance features. We will soon come up with a detailed post on Click to Fix feature for several key AWS Security Audits. Until then stay tuned with us.

This is a newly launched feature by Botmetric. To explore this feature, take up a 14 day trial . If you have any questions on AWS security or AWS security best practices, just drop in a line below in the comment section or Tweet to us at @BotmetricHQ.

Bridging the Cloud Security Gaps: With Freedom Comes Greater Responsibility

By 2019, global spending on public cloud services by businesses is expected to reach $141 billion, says  IDC reports. Approximately two-thirds of CIOs across the globe view cloud computing as a principal disruptive force in their businesses, says another leading survey. With cloud adoption currently gaining momentum, it is evident that thick-skin cloud computing is here to remain, despite cloud security concerns looming over the heads of many enterprises.

Here’s why: Apart from elasticity and agility the cloud offers, it is the freedom to swiftly launch an infrastructure with just a few clicks & have it ready in few minutes. And this is what has made  developers/engineers to be the prime drivers of cloud adoption across organizations. Plus, organizations are saving 14 percent of their budgets on an average as an outcome of public cloud adoption, according to a Gartner’s 2015 cloud adoption survey. The infographic below lists few influencing factors.

AlienVault Cloud Security Report 2016
Image Source: AlienVault Cloud Security Report 2016

True. However, this freedom to  scale up or scale down the infrastructure as and when required can very easily wash away that 14 percent saved on budgets if not handled with greater responsibility. Why? Due to cloud security gaps that need to be filled, says Amarkant Singh, Head of Product, Botmetric in one of his articles.

“With Freedom comes greater Responsibility.” And with the choice of public cloud that features shared responsibility model, you need to pay close attention to key security measures from time to time.

Security in the Cloud: A Shared Responsibility

Customers of public cloud services are responsible for their data security and access management of cloud resources. For instance, if you’re using AWS EC2 public cloud infrastructure service, you are responsible for Amazon Machine Images (AMIs), operating systems, applications, data in transit, data at rest, data stores, credentials, policies, and configurations. According to Amarkant, a public cloud user needs to tackle four major components when it comes to cloud security:

  1. Access Controls
  2. Network Security
  3. Data Security
  4. Activity & access trail

And here’re the top five best practices, as suggested by Amarkant, that will help close the cloud security gaps within your cloud infrastructure:

1.Grant least privileges

Use this a thumb rule when granting privileges to users and programs. If you’re using AWS, you must make full use of its IAM capabilities to define a very fine-grained permission level for all access points into your cloud infrastructure. Plus, make multi-factor authentication mandatory for your users. And don’t forget to rotate access credentials regularly.

2.Enable all the detective services

Leverage all the tools and configurations provided by your cloud service provider. This will help track activities within your cloud. For instance: If you use AWS, you must enable AWS CloudTrail Logs (Even in regions where you don’t have instances), VPC Flow Logs, ELB Access Logs, and AWS Config.

3.Encrypt data that is at rest and in transit

Despite knowing the importance of encryption, very few follow it, even though they store sensitive data on the cloud. Ignorance is bliss, however, can prove costly when it come to security of data. Not to worry. Major cloud service providers, like AWS, provides native encryption capabilities to all its data storage services like RDS, S3 and EBS. Great! Now, don’t forget to use HTTPS/SSL when transferring data over the Internet or across regions.

4.Architect networks with desired segmentation

While you architect, do follow the best practices. In case of AWS, you can create VPC and further segment your network into public and private subnets. Do not forget to keep your data stores in a private subnet.

5.Backup the backups

Yes! It is recommended to have one or multiple separate cloud accounts just to keep backups. Plus, only a few users should have access to these accounts. Why? For example, you’re using AWS EBS and you take regular snapshots for backup. When the account is compromised by a hacker, it is highly likely that both EBSand its snapshots(backup) are deleted.

To Conclude:

The statement “With Freedom comes great Responsibility” when it comes to looking into public cloud security, is neither a hype nor an understatement. Bring in the required discipline within the team to perform regular audits, follow best practices, and preferably automate key tasks, and see how cloud computing will never cease to amaze you. Try Botmetric Security & Compliance to see how it can help.

Do tell us what’s your cloud security posture, and how you are implementing the critical cloud security controls and tackling the threat landscape for your cloud. Tweet to us.  Comment to us on Facebook. Or  connect with us on LinkedIn. We’re all ears!

PS: Hear the Botmetric webinar recording on  AWS Security Do’s and Don’ts – Tackling the Threat Landscape  by Amarkant to know more.

Editor’s Note: This blog post  is an adaptation of LinkedIn Pulse post by Amarkant Singh, published on Sep 28, 2016.

How Secure is AWS for ECommerce Businesses? Doubt No More

How secure is AWS for ecommerce businesses? As an IT leader of an ecommerce company, responsibility to conduct a thorough risk assessment of AWS is always on your onus. To this end, this question of how secure is AWS for your business might keep echoing in your mind time and again. Right. So, do you see security of your ecommerce business as a knife incessantly hanging on top of your head?

Just so you may know, AWS is not completely responsible for the security of any system built in AWS, however, it provides many tools that help reinforce security best practices, including audit tools, compliance checkers and more. The AWS’  Shared Responsibility Model explains it how.

The backdrop for how secure is AWS for ecommerce?

Gartner says that “Through 2020, 95 percent of cloud security failures will be the customer’s fault.” The reportclearly indicated that cloud security failures until 2020 will be caused by the users rather than cloud service providers. So, as a user of AWS and as a IT leader of an ecommerce company, you should be able to differentiate between the security ‘of’ the cloud and security ‘in’ the cloud.

When we say security of the cloud, it refers to the security of the physical and staff resources of AWS. However, when we say security in the cloud, it refers to the security of systems built on top of AWS. Even though AWS provides a simplified system for administrators to both implement and audit standard security measures, it by no means replaces these traditional measures nor promises the security of your systems. Ultimately, the security of your system is your responsibility.

And one of the stepping stones towards securing your system is to ensure that your online business is complaint with industry security standards like Payment Card Industry – Data Security Standard (PCI-DSS).

AWS and the PCI-DSS Standard

The good news is that AWS Security helps ecommerce comply with PCI DSS Level 1 standard for physical security. This means that the underlying physical infrastructure has been audited and approved by an authorized independent Qualified Security Assessor. It’s interesting to note that, AWS was the first cloud platform to earn PCI DSS Level 1 compliance. AWS also provides all other building blocks necessary for PCI DSS Level 2 as part of its ecosystem.

Security Measures of PCI-DSS Compliance Level 2 & Other Standards

AWS, in collaboration with Anitian – a leading PCI Compliance Assessor, has published a whitepaper on the best practices. These practices have to be followed by ecommerce sites hosted on AWS. In order to ensure that the PCI-DSS, ISO270001, and other recommendations are implemented effectively, the following security measures need to be deployed along with the AWS apps.

  • Implement Web Application Firewalls (either AWS WAF or 3rd party solutions such as ModSecurity) and ensure that sufficient rules are configured to protect against OWASP top 10 attacks.
  • Ensure that all system defaults like port numbers protocols like SSH, username/passwords, etc. are modified periodically.
  • Encrypt the entire data lifecycle, including “Data in Transit”, “Data in Use” and “Data at Rest”. For “Data in Transit”, AWS ELB (Elastic Load Balancing) should be deployed to enable SSL/TLS, which encrypts all data in transit. All the AWS resources holding critical data should in placed in appropriate security groups and NACLs, so that only secured protocols are used for data communication between them. For ‘Data at Rest’ in EBS and S3, AES256 encryption mechanisms should be used. The Private Keys can be stored in Key Management Systems (KMS) such as AWS KMS.
  • Scan for Bots and other malware periodically using vulnerability scanners like OpenVAS, OWASP ZAP, and Nexpose, etc. By doing so, it will ensure that there are no ports opened due to negligence. Logging mechanisms like AWS CloudTrail should be enabled. Tools like AWS Cloud Watch can be used to monitor and detect anomalies in system behavior and performance.
  • Proper management of identification and authentication of the people who can access the network resources is very critical. Because, this avoids hackers gain access to the network through identity theft methods. The System administration should be limited to very few set of people to reduce the probability of identity theft. AWS IAM (Identity and Access Management) tool should be linked Active Directory services using AWS Directory Services for securing Identity Management. Constant monitoring of access of protocols like SSH will also help detecting any malicious intrusions into the Network.

To Conclude

Even if an ecommerce website has obtained compliance for PCI DSS Level 2, it does not mean it is secure from cyber-attacks like DDOS. Security is not a destination like one time configuration setup. It is a continually ongoing journey. Hence, constant monitoring of the security posture is essential. Moreover, leading organizations today advocate security testing to be integrated with the DevOps process such that security tests like vulnerability scanning is performed every time a software update is made.

Checkout Botmetric’s Security and Compliance application, which can help DevOps to reinforce, manage, monitor, and govern AWS cloud Security measures mentioned above. Sign-up for a 14-day trial to get a hands-on experience of what Botmetric offers.

As an IT leader of an ecommerce company, if you want to know other AWS security facts and tips, do read the Botmetric blog, 5 Surefire AWS Security Best Practices (Not Just) For Dummies.  And to know about 21 AWS Cloud Security Best Practices, read the Botmetric blog here. Also, get in touch with us on Twitter,LinkedIn, Facebook to  know other facts about AWS and AWS security management.

AWS IAM Policies For Access Control – Part 1

AWS IAM (Identity and Access Management) helps you keep access to your AWS services and resources in control. As part one of IAM best practices for AWS access control, we will see here how IAM helps users in managing their access controls. In part 2 of this series, we will analyze some of the best practices which should be followed in IAM for AWS access controls.

AWS IAM is a web based service that helps organizations in securely controlling access to their AWS services and resources.

The service allows users to generate as well as manage AWS users and groups within their accounts. With IAM enterprises can use permissions to permit or access to their data to the AWS resources. IAM allows only users with an identity within an AWS Account to access the data. The identity contains exclusive security credentials that can only be used upon authorizations to access AWS Services.

Without IAM, organizations with multiple users and systems would be forced to either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or employees would all have to share the security credentials of a single AWS account. There would be no way to control the tasks a particular user or system could perform and which AWS resources they might use.

Limiting user access with AWS IAM

IAM allows enterprises to easily can control and manage access to their resources. With IAM, you can generate individual users, every one of them with unique user name, password, and access keys. Since each user has unique credentials, they can be assigned with sole right to entry to the resources and services need to be accessed.

For communicating with any AWS resource, users are asked for security credentials each time. These credentials help in deciding the authenticity of users and allow them to make the call. These credentials are the basis on which you can decide and whether or not to agree to the requested access.

But won’t it be better just to rely on a solo identity? It would be great if log into your AWS account anytime using your email address and password and you are allowed complete right to use all your account’s resources. Since, allowing this kind of access is way too difficult to manage and properly control, AWS recommends users to use only IAM credentials for their day to day interactions with AWS, and lock away their account credentials.

IAM features and how it helps in managing access controls

  • By creating individual IAM users and individual groups to allocate permissions to IAM users
  • IAM allows users to set up an Administration Group as soon as they create their own account. Then under that account, IAM users can be added who will need proprietor rights to their accounts. Now, they and no other person or entity will have any kind of rights over their account resources
  • By enabling AWS Multi-Factor Authentication (AWS MFA) for restricted users
  • To stop unauthorized access, AWS suggest users to implement multi-factor verification (MFA) in addition to their AWS account’s email address and password. Any device such as a smart phone in the control of MFA users can be configured to produce an authentication code. This code will be solely available for that account and will offer added security. Enabling MFA ensures protection of your data on cloud. If you want to learn about security best practices for data security, read this post.
  • By offering short-term security credentials
  • If any user or apps requires on-demand access to their services and resources, AWS IAM facilitates enterprises to offer one-off permissions. This further limits the exposure to threat
  • By recommending users to select strong passwords
  • It is required for every organization that its users create unique and strong passwords and keep changing change them on a regular basis
  • By making users rotate their credentials regularly and by removing redundant credentials

It is better to get rid of idle IAM user credentials such as passwords and access keys. To know more about IAM & EC2 key-pairs, read this blog post.

  • By allowing enterprises to use AWS IAM roles for applications running on Amazon EC2 instances

When any application running on an Amazon EC2 instance needs to access other AWS services, it requires credentials. At this point, IAM plays a significant role. It offers required credentials to the applications in a safe and protected way.

  • By offering policies for extra security

IAM offers custom policies which can be attached to the principal entity for enhanced security. Also, you can put together various policies to a primary entity. Each one of the policies can enclose several permissions.

AWS IAM User Management

Usage quotas on IAM users cannot be fixed or set up on priority basis, as all restrictions are valid to the AWS account as a single entity. So let’s consider that your AWS account can have a maximum of twenty Amazon EC2 instances, any IAM customer with EC2 permissions will be capable of launching to that limit assuming that no other instances are linked with other account users.

The number of AWS IAM roles any user can assume is not restricted. But users can only perform as one IAM role when making requests to AWS services. Nonetheless users are restricted to a maximum of 250 IAM roles for a solo account. If they need more roles, they have to submit an IAM limit increase request form. They have to submit the form with their use cases. If the requests are considered, their AWS IAM role will increase.

To Conclude

It is very important for enterprises to protect their AWS environment and AWS IAM’s high-level security allows them in achieving top notch security. It does not cost anything and very much reinforces the importance of your security credentials.

Apart from ensuring Identity and Access Management, regular security audits should be run to ensure compliance. Security never stands second in cloud computing. Thus, Botmetric performs a thorough security audit of all the above mentioned IAM checks and more. These audits are performed on a regular basis. Summary of findings are delivered to your inbox. If you wish to view a concrete report for all your cloud insights, you can simply download the reports from Botmetric’s reports section.

Start your 14-day free trial today, and let Botmetric help you in adhering IAM best practices to ensure safety to your AWS Cloud infrastructure.

If you need any further assistance, don’t hesitate to connect with us on Twitter. We would love to help you.

In the next part of this article, we will see the best practices which should be followed for effective AWS access control.

How does your organization test IAM policies for AWS resources? Tweet to Us.

AWS Security Best Practices Part 4 : Detective Services

In this AWS security best practices series, we will talk about the next major AWS security threat landscape revolving around your AWS resource inventory, changes in your infrastructure and all API actions performed. You would have guessed it by now, we are talking about AWS Config, CloudTrail Logs, CloudWatch and VPC FlowLogs. All 4 put together can be termed the Detective Services from AWS. You can use these services from AWS to track and find out who did what and when. These are really useful in finding out an unauthorized access or an act from a disgruntled employee!

Let’s analyze some of the important features of AWS which enables monitoring, storing, and accessing of logs and configurations containing info about your entire AWS infrastructure as well as the changes within it. The inventory and configuration management tools help you in viewing constantly updated details of all configuration features of your AWS resources. They also allow you to monitor overall compliance of your AWS resource configurations with business plans and guiding principles.

Inventory and configuration management tools

AWS Config

AWS Config is a completely managed service to offer customers with an AWS reserve inventory, configuration record, and configuration adjusts warnings to facilitate security and control. Customers can create rules using Config Rules to automatically check the configuration of AWS resources recorded by AWS Config.

With AWS Config, it is easy for enterprises to learn about accessible and deleted AWS resources, establish the overall agreement against rules, and jump into configuration information of a resource at any point in time. These abilities facilitate compliance auditing, security investigation, resource modification tracking, and troubleshooting.

AWS CloudTrail

AWS CloudTrail  is the most special service any AWS security detective would love. It is a network service that can record AWS API calls for your account and deliver log files to you. The recorded data comprises of the identity of the API caller, the instant of the API call, the source IP address of the API caller, the application parameters, and the reaction fundamentals returned by the AWS service. Simply a goldmine of all the access attempts in any form to your AWS infrastructure!

CloudTrail can smooth the progress of compliance reporting for enterprises using AWS and require tracking the API calls for one or more AWS account. This service can also be configured to maintain security information (SIEM), event management stages, and resource management.

With CloudTrail, it is easy to get history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call records given by CloudTrail enable security examination, resource transformation tracking, and compliance auditing.

VPC Flow Logs

VPC Flow Logs is a feature provided by AWS to let you monitor IP traffic going to and from network interfaces in your VPC. You can use it to monitor that no undesired traffic is reaching your EC2 instances within VPC.

VPC Flow Logs data is stored in the form of CloudWatch Logs. You can create a flow log for a VPC, a subnet or a network interface. Each network interface has its own flow log stream. If you enable flow logs for a VPC, network traffic flow will be logged for all network interfaces in all the subnets within that VPC.

You cannot enable flow logs for any EC2 instance in EC2-Classic platform. Hence, if you really have few instances still left in EC2-Classic, then this is another reason you must move them to a VPC!

AWS CloudWatch

AWS CloudWatch is a screening check for AWS cloud resources and the applications being executed on AWS. It can be used to gather and follow metrics, assemble and observe log files, set alarms, and routinely react to changes in your AWS resources. AWS CloudWatch is capable of monitoring several resources like Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances. It can also monitor custom metrics produced by your applications and services. It offers you system-wide visibility into resource employment, application performance, and operational strength. These insights are very helpful in keeping your application’s performance smooth.

Now let’s see the best practices which organizations should follow:

Enable AWS CloudTrail Logs even in regions where you don’t have instances

CloudTrail should be turned on using the console or the command line interface in all the regions and not just in the regions you have your infrastructure setup. As you may know that any compromise to your console or to any of AccessKey/SecretKey can lead to actions in all the AWS regions. As at the time of this writing IAM is still region-agnostic!

Hence, please do enable CloudTrail for all the regions. This can help you in following changes to resources, getting answers to your questions about user action, demonstrating compliance, troubleshooting, or performing security analysis. You can easily retrieve and view your log files.

Enable AWS Config for all your major regions and for all the services you use

As discussed above, enabling AWS config can be helpful in a wide range of use cases such as discovery, change management, Continuous Audit and Compliance, Troubleshooting, and Continuous Audit and Compliance. Using AWS config an IT Administrator can easily find out when and how any resource went out of agreement.

Enable VPC Flow Logs for all VPCs

It is always better to be safe than sorry. So it is recommended to enable flow logs for all your major production VPCs. Enabling VPC Flow Logs can help you in capturing information about the IP traffic going to and from network interfaces in your VPC. Not only this but flow logs can help you with multiple tasks such as, in troubleshooting why explicit traffic is not reaching an instance and monitoring the traffic that is reaching your instance.

Enable ELB Access Logs for all public ELBs

By enabling ELB access logs, you can get an easy access to the logs that contain comprehensive information about all requests sent to your load balancer.

Enable Termination Protection for your critical EC2 production instances

Enabling termination protection can prevent your instance from being terminated by mistake using Amazon EC2 APIs. It mainly helps you in avoiding accidental termination of your critical EC2 instances. Also it adds an extra layer of security as even when your AccessKey/SecretKey has been compromised, the attacker cannot terminate the instances unless your AWS console is also compromised.

You must follow these simple tips religiously and ensure that you use all these detective services provided by AWS. Idea is to be prepared. Security should be taken as task zero on AWS cloud.

Getting deep insights into the behaviour and performance of your cloud computing resources is utmost important. But it is also important to examine various parameters that let enterprises proactively monitor the critical cloud infrastructure, including applications hosted on the cloud. You must perform regular AWS security audits to ensure that all the AWS security best practices are being followed for your AWS infrastructure. But performing such an extensive audit manually on regular periods, even once a day is a difficult task.

Botmetric’s thorough AWS security audit helps you discover AWS security best practices violations within minutes. It also allows you to automate security audit of your infrastructure and deliver results directly to your inbox.

If you aren’t using Botmetric yet, sign up for a 14-day trial and automate your security audit.

Hope this post helps you in strengthening your AWS cloud infrastructure’s security. We would love to hear your feedbacks and questions. Tweet to Us.

Other posts in our AWS Security Best Practices series :

AWS Security Best Practices Part 1 : IAM & EC2 Key Pairs

AWS Security Best Practices Part 2 : Network Security

AWS Security Best Practices Part 3 : Data Security

AWS Security Best Practices Part 3 : Data Security

In this AWS security best practices series, we will talk about the next major AWS security threat landscape: data security. We have previously discussed about best practices with respect to access controls and network security on AWS.

Customers raise many questions with IT management, mainly when it comes to securing their data. To lessen the fears of losing data, it is now-a-days suggested that data should be stored in the cloud. Cloud security, with AWS in the fore front has come a long way in providing data security tools and mechanisms. Now, cloud storage is considered a safer way compare to storing data on a corporate network.

As part 3 of our AWS security best practices series, we will discuss how data security is accomplished in AWS, and the best practices to be followed to achieve an efficient data security strategy on AWS.

In a recently published Gartner report, it has been shown that the market of data loss prevention solutions is growing rapidly. It is crossing the growth rate of more than 20 percent year over year. Yet the report also clarifies that enterprises are aggressively struggling to set up appropriate data protection policies. They are trying hard to establish best data security measures as they interact with susceptible data.

AWS understands that maintaining customer’s data security is a continuous commitment. That’s why AWS informs its clients of the important data security policies, tools, mechanisms and best practices. These policies include:

Encrypting Data at Rest

Encrypting sensitive data requires majorly three mechanisms:

  1. Availability of data to encrypt
  2. A way to encrypt the data using a cryptographic algorithm
  3. Encryption keys that can be used in conjunction with the data and the algorithm

Most of the new programming languages offer a variety of accessible cryptographic algorithms, for example the Advanced Encryption Standard (AES). By choosing the right algorithm you can successfully encrypt your data. As much as an encryption algorithm is important, protection of the keys from unauthorized access is also important. The keys are often encrypted with the help of a key management infrastructure (KMI). A familiar way to secure keys in a KMI is to use a hardware security module (HSM). It usually offers resistance to protect keys from unauthorized access.

AWS suggests that enterprises find out which encryption and key management model is correct for their data classifications. Then they can choose a managed service to enable easier operation and tighter incorporation with AWS cloud services. This will help them in encrypting several services that store their data.

AWS provides in-built mechanism for data encryption with it’s data storage services. It also provides the ability to configure the encryption mechanism as well. Below are the list of data storage services for which AWS provides encryption mechanisms:

  1. S3
  2. RDS
  3. Redshift
  4. EBS

For more details on the storage services and respective encryption mechanisms, please refer to this white paper on Encrypting Data at Rest on AWS.

AWS Key Management Service (KMS)

The new AWS Key Management Service (KMS) offers you complete management of control over your encryption keys. It provides you a new alternative for data protection. It also helps you in handling the scalability and accessibility issues that you face when you carry out key management. With proper use, AWS Key Management Service can effectively tackle persistent concerns related to moving sensitive data to the cloud.


AWS CloudHSM can help not only to large enterprises but also to small and midsize industries. It is helpful to AWS cloud customers as well as to customers of other cloud providers, who store their cryptographic keys on AWS.

In a simple way it can be said that AWS CloudHSM is a service that can safely produce, store, and handle cryptographic keys of every customer using the public cloud. It has emerged as a best way to use and supervise cryptographic keys in the public cloud itself. Even if you want to have protected key management, outside of the public cloud, with CloudHSM, it is possible.

Data Security Do’s

Below are some of the best practices organizations must follow to enhance their data security on AWS.

Ensuring all the sensitive data are encrypted at rest.

To avoid unauthorized access, it is imperative to make sure that your data is encrypted at every end. This is where AWS can help much by providing data encryption services and standing behind for their performance. It is always better to use native encryption provided with RDS, S3, EBS, etc.

Ensuring proper permissions for your S3 buckets.

By default, all Amazon S3 buckets are private. The permission to get access to the S3 bucket is granted only to the resource owner and the AWS account that was used to create the bucket. However, resource owner can decide to allow access to other resources and users by writing an access policy. It is necessary to not give access to S3 buckets to everyone to avoid data breach.

Using HTTPS/SSL every time while transferring data over the internet or across regions.

The Internet is a terrifying place for businesses. That is why it is important to pay close attention towards securing file transfers. To protect data from being snipped as it traverse over the Internet, HTTPS/SSL should be used every time while transferring data.

Data Security Don’ts

Below are some of the things you must never do if you don’t want unauthorized access to your data on AWS.

Do not disclose unnecessary information about an individual to a third-party.

Data exposure scanning is not a one-time project. You should always avoid sharing any individual’s data to a third-party without the prior approval of the individual.

Do not ignore the security checks of your supply chain partners.

Many of today’s security hacks are coming through third parties or partners that manage sensitive data of enterprises. You should never ignore to check your partners’ authenticity. This will ensure that your customer’s data won’t be compromised.

Don’t forget to frequently update and patch specialized hardware.

You should keep updating your specialized hardware regularly. It is advisable to use two-factor authentication for all remote access to ensure better safety.

To summarize, in order to secure your data, you must do 2 things:

  1. For data at rest : Encrypt
  2. For data in transit : User HTTPS/TLS

Following these simple best practices, you can protect your business applications from data security threats to a great extent.

Botmetric helps you in performing regular security scans of your AWS infrastructure and provides you the list of security best practices violations. If you haven’t started using Botmetric yet, sign up for a 14-day free trial and let us help you in security examination of your AWS infrastructure.

We hope that with this article, we can help you in implementing effective data security measures. We would love to listen to your feedbacks and suggestions. Tweet to us.

Next in our AWS security best practices series, we will talk about another major threat landscape: Inventory/Config.

21 AWS Cloud Security Best Practices You Must Know

Security is the forefront for any online business today. And on Amazon Web Services Cloud, security is job zero. This is perhaps the top reason why you would want to adopt the AWS Cloud for your business. You should keep a tab on the AWS security page to be on top of challenges and solutions to most common security issues on AWS. In this blog post we will go over some of the most important AWS cloud security best practices which you must know and enforce.

You may have enforced the basic security best practices. However, since a large volume of resources are modified and launched in your AWS cloud infrastructure on a daily basis, there are chances that you would have missed some vital security best practices. There would be some opportunities to implement new security measures as well as tweak your existing security plan. Doing so will ensure your AWS Cloud infrastructure is running smoothly and is fully-protected from any serious threats and data breaches.

Botmetric implements the security best practices for you and performs a comprehensive audit of your AWS cloud infrastructure to ensure protection against common threats.

Here’re the list of top 21 security checks that must be regularly performed to ‘bullet-proof’ your AWS infrastructure:

  1. Security Groups

A security group acts as a virtual firewall that controls the inbound and outbound traffic for one or more instances. You associate a security group with the launch of each instance. Since the data may have an open IP port or is open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups are kept open.

  1. IAM MFA Audit

To add an extra layer of security to your AWS account, it is recommended to enable Multi Factor Authentication for IAM users to safeguard your critical data from the online hackers.

  1. ELB Access Log

If you have not enabled AWS ELB Access for the Elastic load balancers, your data is exposed to some threats. We recommend you to enable the ELB Access log for enhanced security.

  1. Termination Protection

If the AWS EC2 instances don’t have API termination protection enabled, it may lead to accidental termination of machines through an automated process. It is recommended to enable termination protection all the mission critical EC2 instances running in your AWS cloud account.

  1. ELB Listener Security Audit

If a load balancer has no listener that uses a secure protocol (HTTPS or SSL), it is a threat to your data. Configure one or more secure listeners for your load balancer. You should create HTTPS or SSL listeners for publicly interfaced ELBs.

  1. Unused IAM Access Keys

If you have unused certain IAM access keys in the last 30 days or since creation, we would highly recommend you to remove them for better security and avoid key compromises.

  1. RDS Security Audit (for VPC SG and for list of ports)

For the AWS RDS instances which have DB port opened to public or a range of IPs, we recommend to open the port for only the required IPs and security groups.

  1. Root Account Access Key

The root account access key audit on Botmetric identifies if you have any active access key associated to your root account in AWS. One of the best ways to protect your account is to not have an access key for your root account. Create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions.

  1. IAM Admin Roles Audit

Having one unique IAM admin for your AWS account is risky. Instead, have one or more AWS IAM users, give them the permissions, and use these IAMs for everyday interaction with AWS. Also, try to use temporary security credentials (IAM Roles) instead of long-term access keys.

  1. IAM Password Policy

When you set a password policy for your AWS account, always remember to specify the complexity requirements and mandatory password regeneration on expiration of the IAM’s password. By doing this, you are ensuring that your account credentials are in safer hands!

  1. IAM Policy (for Managed Policies)

If you have granted complete control of your AWS account to a single IAM, there is a possibility of data breach as the IAM user can access any of your resource at any point of time. Botmetric lists out such IAM users for your AWS account so that you can pick and choose any particular IAM user whom you want to give the full access control or not. You may also exclude any IAM user you feel need not be given the full access in future.

  1. CloudTrail

No Cloudtrail= Security risks!

AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. Customers who wants to track changes to resources, answers simple questions about user activity, demonstrate compliance, troubleshoot, or perform security analysis should enable CloudTrail.

  1. IAM Admin Count

Total number of admin accounts. If there are too many IAM admin accounts, this may lead to security issues. It is recommended not to have many IAM users with admin rights.

  1. SSL Expiry

If you have uploaded SSL certificates to Amazon Web Services for ELB (Elastic Load Balancing) or CloudFront (CDN), then you would want to keep an eye on the expiration dates and renew the certificates on time to ensure uninterrupted service.

Botmetric SSL Expiry audit will get a list of all SSL certificates, sorted by expiration date.

  1. Root Account MFA

Never forget to enable MFA for your root account. The best option would be to give limited access to only privileged IAMs.

  1. Unused Security Group

If certain security groups are not used or attached to any instances, it is recommended to remove these security groups.

  1. RDS Encryption

Encrypting your RDS is a good practice. If the RDS instances are not encrypted at database storage level, you can use Amazon RDS encryption to increase data protection for your applications deployed in the cloud, and to fulfill any compliance requirements for data-at-rest encryption.

  1. Old IAM Access keys

As an administrator, we recommend you to regularly rotate /change the access keys for IAM users in your account. If you have given the users the necessary permissions, then they can rotate their own access keys. Meanwhile, change the access keys that are older than 60 days to enhance security of your AWS accounts.

  1. S3 Bucket Permissions

By default, all S3 bucket permissions are private and you need to give Read/Write access permissions to others by writing an access policy. Bucket permissions that grant List access to everyone can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Make sure you are granting limited access permissions.

  1. Service Log Expiry

It is advisable to enable service log expiration for each of the logging buckets to ensure you don’t miss out of the expiration dates. Botmetric Security Audit Insights alerts you when your Service Log is due to expire.

  1. Domain Expiry

Botmetric also alerts you when your domain name is going to expire so that you can reset the domain name accordingly.

These were just a few of the security measures, which you must take in order to bring in a decent level of security to your AWS cloud infrastructure. Make sure you follow all these security best practices and enforce them in your AWS Cloud infrastructure.

Botmetric Security & Compliance solution  performs a thorough security audit of all the above mentioned checks and more. These audits are performed on a regular basis. Summary of findings are delivered to your inbox. If you wish to view a concrete report for all your cloud insights, you can simply download the reports from Botmetric’s reports section.

So, start a 14-day free trial today, and let Botmetric help you making sure that you are following the industry best practices in ensuring safety to your AWS Cloud infrastructure.

If you need any further assistance, don’t hesitate to connect with us on Twitter. We would love to help you.